DATA PROCESSING AGREEMENT
This data processing agreement is between First App Holdings Limited (“First App”), Aceville Pte Ltd. (“Aceville”) (First App and Aceville, each a “Data Processor”) and the user that has entered into the End User Service Agreement (“EUSA”), the data controller (the “User”) and incorporates the terms and conditions set out in the Schedules attached hereto (the “DPA”).
In respect of this DPA, if the User is located in Singapore, references to “Data Processor” or “VooV Meeting” shall be read as a reference to Aceville; and if the User is located outside of Singapore, references to “Data Processor” or “VooV Meeting” shall be read as a reference to First App. “VooV Meeting” refers to the relevant Data Processor, depending on where the User is located.
Each User has appointed VooV Meeting to provide videoconferencing and associated services to the User. As a result of the provision of such services to the User in accordance with the EUSA, Data Processor will store and process certain personal data of the User, in each case as described in further detail in Schedule 2 (Processing Details).
The DPA is being put in place to ensure that VooV Meeting processes personal data under each User’s control on the User’s instructions and in compliance with Applicable Data Protection Laws.
The parties to this DPA hereby agree to be bound by the terms and conditions in the attached Schedules as applicable with effect from the date the User is deemed to have agreed to the terms of the EUSA (in accordance with the terms of such agreement).
(a) Each User wishes to appoint VooV Meeting to Process Personal Data, as further described in Schedule 2 (Processing Details).
(b) This DPA is being put in place to ensure that VooV Meeting processes each User’s Personal Data on User’s instructions and in compliance with the Applicable Data Protection Laws (as defined below).
1.1 Any capitalized term that is used, but not defined, in this DPA shall have the meaning ascribed to such term in the EUSA.
1.2 The Data Processor and User, each a ‘party’ and together the ‘parties’.
1.3 For the purposes of this DPA, the following expressions bear the following meanings unless the context otherwise requires:
“Applicable Data Protection Laws” means any law, regulation or other binding instrument (i) relating to the processing of Personal Data pursuant to this DPA, including the GDPR, the UK GDPR, the UK Data Protection Act 2018, the e-Privacy Directive 2002/58/EC and the e-Privacy Regulation 2017/0003 (once it takes effect), and (ii) which implements the e-Privacy Directive, the GDPR or the e-Privacy Regulation (once it takes effect) (in each case as amended, consolidated, re-enacted or replaced from time to time);
“Data Processor” shall have the meaning set forth in the recitals of this DPA;
“Data Subject” means the living individuals who are the subject of the Personal Data;
“GDPR” means, as applicable, the General Data Protection Regulation 2016/679 and the GDPR as amended and incorporated into UK law by the Data Protection Act 2018 and under the UK European Union (Withdrawal Act) 2018, to the extent in force;
“Model Clauses” means the standard contractual clauses for the transfer of Personal Data to data processors established in Third Countries set out in the Commission Decision of 5 February 2010 (C(2010) 593), as amended by EU Commission Implementing Decision 2016/2297 of 16 December 2016 and as amended, updated or replaced from time to time;
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Process”, “Processed” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Regulator” means the data protection supervisory authority which has jurisdiction over a User’s Processing of Personal Data;
“Third Countries” means all countries outside of the scope of the data protection laws of the European Economic Area (“EEA”) or United Kingdom, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time, which at the date of this DPA include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay;
“UK GDPR” means the retained EU law (as defined in the European Union (Withdrawal) Act 2018) which is implemented via the GDPR Retained EU Legislation Regulation; and
“VooV Meeting” shall have the meaning set forth in the recitals of this DPA.
2.1 This DPA governs the terms under which VooV Meeting is required to Process Personal Data on behalf of the User(s).
(a) Process the Personal Data only on documented instructions from the User, including with regard to transfers of Personal Data to Third Countries or an international organisation, unless required to Process such Personal Data by applicable law to which VooV Meeting is subject; and in such a case, VooV Meeting shall inform the User of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
(b) ensure that its personnel authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) implement appropriate technical and organisational security measures taking to ensure a level of security appropriate to the risk as set out in Schedule 3 to this DPA;
(d) taking into account the nature of the Processing, assist the User by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the User’s obligation to respond to requests for exercising the Data Subject’s rights laid down in the Applicable Data Protection Laws;
(e) promptly notify the User (including further information about the breach provided in phases promptly as more details become available) in writing upon becoming aware of any improper, unauthorized, or unlawful access to, use of, or disclosure of, or any other event which affects the availability, integrity or confidentiality of Personal Data which is Processed by VooV Meeting under or in connection with this DPA.
(f) assist the User in ensuring compliance with the obligations to (i) implement appropriate technical and organisational security measures; (ii) notify (if required) Personal Data breaches to Regulators and/or individuals; and (iii) conduct data protection impact assessments and, if required, prior consultation with Regulators;
(g) ensure that all Personal Data Processed on behalf of the User will be stored and processed for the duration of the meeting only and solely to facilitate the User’s communications during the meeting, following which VooV Meeting will delete the Personal Data;
(h) make available to the User all information necessary to demonstrate compliance with the obligations laid down in this Clause 3, and allow for and contribute to audits, including inspections, conducted by the User or another auditor mandated by the User.
3.2 In the event that the information provided in accordance with Clause 3.1(h) above is insufficient to reasonably demonstrate compliance, VooV Meeting shall permit an industry standard audit to be conducted by an independent third party auditor chosen by the User on reasonable notice to audit VooV Meeting’s compliance with its obligations under this DPA. Such audits shall (i) be at the User’s cost; (ii) be conducted between 9am-5pm on business days (excluding, for the avoidance of doubt, weekends and public holidays); (iii) not be conducted by any competitor of VooV Meeting; (iv) not interfere with VooV Meeting’s day-to-day business; and (v) shall, to the extent an inspection is required, be limited to an inspection of VooV Meeting’s Processing facilities in order to review compliance with this DPA.
3.3 Where VooV Meeting processes, accesses, and/or stores Personal Data in any Third Country, VooV Meeting shall comply with the data importer’s obligations set out in the Model Clauses, which are hereby incorporated into and form part of this DPA (with the processing details set out in Schedule 2 (Processing Details) and the technical and organisational security measures set out in Schedule 3 (Technical and Organisation Security Measures) applying for the purposes of Appendix 1 and Appendix 2 of the Model Clauses, respectively), and the User(s) will comply with the Data Exporter’s obligations in such Model Clauses.
4.2 Each User warrants that: (i) the legislation applicable to it does not prevent VooV Meeting from fulfilling the instructions received from the User(s) and performing VooV Meeting’s obligations under this DPA; (ii) it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to enable the Processing of the Personal Data by VooV Meeting as set out in this DPA and as envisaged by any services agreement in place between the parties.
4.3 Each User agrees that it will indemnify and hold harmless VooV Meeting on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by VooV Meeting arising directly or indirectly from a breach of this Clause 4.
5.2 In the event that VooV Meeting engages a sub-processor for carrying out specific Processing activities on behalf of the User, where that sub-processor fails to fulfil its obligations, VooV Meeting shall remain fully liable under the Applicable Data Protection Laws to the User for the performance of that sub-processor’s obligations.
The provisions of “20. GOVERNING LAWS AND DISPUTE RESOLUTION” in the EUSA shall apply mutatis mutandis to this DPA, except that references therein to: (i) “Terms”; (ii) “we” or “us”; and (iii)“you” or “your” shall mean: (x) the provisions of this DPA; (y) the Data Processor; and (z) User, respectively, for the purposes of this DPA.
The Processing activities shall consist of:
Processing for the purposes of performing the services described in the EUSA.
The Personal Data Processed by VooV Meeting will be subject to the following basic Processing activities:
The Personal Data Processed by VooV Meeting concern the following categories of Data Subjects:
Users of the VooV Meeting platform and any individuals who are the subject of the data.
Categories of Data
The Personal Data Processed by VooV Meeting includes the following categories of data:
Personal Data transmitted by the users of the VooV Meeting platform (for example, by setting up a video or audio transmission, or by sharing information on VooV Meeting). These include:
· Audio and video data, including screen sharing (which is encrypted and can only be viewed in real time);
· Shared files (meeting documents that can be viewed and edited before, during or after meetings);
· Chat contents; and
· Calendar data.
Special Categories of Data (if appropriate)
The Personal Data Processed by VooV Meeting concern the following special categories of data:
Special categories of data are not required to use the Service. User may submit special categories of data to VooV Meeting, the extent of which is determined and controlled by Users in their sole discretion. Such special categories of data include, but may not be limited to, Personal Data with information revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning an individual’s health or sex life.
(a) standards for data categorisation and classification;
(b) a set of authentication and access control capabilities at the physical, network, system and application levels; and
(c) a mechanism for detecting big data-based abnormal behaviour.
Implement stringent rules on internal network isolation to achieve access control and border protection for internal networks (including office networks, development networks, testing networks and production networks) by way of physical and logical isolation.
Physical and environmental security.
Stringent infrastructure and environment access controls for data access based on relevant regional security requirements. An access control matrix to be established, based on the types of personnel and their respective access privileges, to ensure effective management and control of access and operations personnel.
Operate active and real-time service monitoring, combined with a rapid response and handling mechanism, that enables prompt detection and handling of security incidents.
Compliance with standards.
Compliance with the following standards:
(a) Information security management system – ISO 27001:2013.
(b) IT service management – ISO/IEC 20000-1:2011.
(c) Quality management system – ISO/IEC 9001:2015.
(d) IT Service Management System – ISO/IEC 27018:2014.
(e) CSA Security, Trust & Assurance Registry (STAR).